Monday, November 20, 2017

This Holiday Season - Buy One IoT Device, Get Free CVEs

As the Internet of Things gains steam and continues to develop, so are adversaries and the threats affecting these systems. Companies throughout the world are busy deploying low cost Internet-connected computing devices (aka the Internet of Things) to solve business problems and improve our lives. In tandem, criminals are developing their methods for abusing and compromising vulnerable and poorly defended IoT devices.

In the past year, we have seen criminals recruit vulnerable IoT devices to form the Mirai botnet, capable of launching the largest denial of service attack in history, and more recently witnessed the emergence of further IoT botnets, which consist of many thousands of infected devices performing the bidding of a criminal owner. These networks of devices can be instructed to simultaneously bombard websites with network traffic bringing down systems under the strain of the coordinated denial of service attack.

Talos researches and monitors the threat environment in order to protect Cisco customers against emerging threats. We strive to make the wider community aware of the issues of poorly secured IoT devices, and actively hunt for vulnerabilities. In recent weeks, Talos has published reports on vulnerabilities which we have resolved in home security cameras, a Disney branded home IoT device designed to increase security, and in software designed to run on embedded systems, such as those used in IoT systems.

Many of these vulnerabilities allow attackers to execute unauthorised computer code on devices, permitting attackers to read data, launch attacks at other systems, or render the compromised device inoperable. Not only may an unsecure device leak information that should never be released, but an unprotected vulnerable device is at the mercy of attackers.

As with all vulnerabilities discovered by Talos, we follow our published responsible disclosure policy to ensure that vendors have the time to release patches to fix the vulnerabilities. We understand that in the field applying patches to a vulnerable system is not always easy, or even possible. This is why when we disclose the presence of a vulnerability, we release open-source Snort signatures to detect and block attempted exploitation of the vulnerability.

Protecting potentially vulnerable IoT devices with Intrusion Prevention System (IPS) network security defenses forms only part of the full suite of IoT protection available from Cisco. Cisco also offers cybersecurity and Internet of Things training courses through the Cisco Networking Academy. The goal of these programs is to increase skill levels among current workers, and enable new employees to enter the workforce with the knowledge necessary to succeed.

Securing the Internet of Things begins with an awareness of the problem. Awareness of the issues and the risks, as well as the solutions to the problem, are vital first steps to resolving the issue. We are committed in our research to identify the vulnerabilities and the techniques that may be used by criminals to subvert the Internet of Things, and committed to ensuring that everyone can reap the benefits that this new frontier offers.